Electronic devices such as computers, smartphones, smart watches, voice-activated home assistants, and Internet-of-things connected devices typically run a variety of applications. Some of these applications may be native to or otherwise known and trusted by the operating system running on the device. Others may be third-party applications supplied by others, which may not be known when first installed on the device.
Applications running on a device want to communicate with a server, and the server wants assurances that it is the application talking with the server, and not someone pretending to be the application. When an application running on a client device makes a service request to a server, the server will be programmed to ensure that the request is authentic before it grants the request. Thus, the client application must provide some form of identity verification to the server. One way of doing this is by bundling a token with the application, then having the application send that token to the server
However, one may not wish to bundle a key, certificate or other token with the application itself. A pretender can take apart the application, extract the token, and masquerade as the application. Thus, bundling the key with the application could expose the token to being extracted and used by attackers to spoof requests.
In addition, third-party applications that are not native to or known by the operating system of the client may face difficulty obtaining authentication. The client's native service may not permit the application to obtain a service without authorization. In addition, the one-way application-device secure authenticated channel described above is not a two-way channel.
This document describes methods and systems that are directed to solving at least some of the issues discussed above, and/or other problems.